Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Dark Web. Show all posts
Dark Web
Cloud Defense Cyber Security Cybersecurity CyberThreat Dark Web

NtKiller Tool Boasts AV/EDR Evasion on Dark Web

 

A threat actor dubbed AlphaGhoul has now begun to push NtKiller-a perilous tool-on the dark web forums, claiming it silently kills antivirus software and bypasses endpoint detection and response systems. As a malware loader, this tool targets popular security products such as Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro. This puts organizations relying on traditional security in great danger. Its announcement consolidates the escalating commercialization of evasion tools in the underground. 

NtKiller has a modular pricing system; the base price is $500, while the inclusion of rootkit capabilities or UAC bypass would be an additional $300 each, demonstrating the refinement of cybercriminal sales. KrakenLabs researchers witnessed early-boot persistence, embedding the tool within a system at an early stage of boot time, which is long before most security monitors have become active. This mechanism complicates the work of security teams for detection and removal. 

Beyond basic process killing, NtKiller boasts HVCI disabling, VBS manipulation, and memory integrity bypasses among other advanced evasion tactics. Anti-debugging and anti-analysis protections thwart forensic examination and create a gap between hype and proven performance. The silent UAC bypass escalates privileges with no user prompts, its menace amplified when combined with rootkits for persistent, surreptitious access. 

While the claims target enterprise EDR in aggressive modes, independent verification is lacking, and caution should be exercised when reviewing true efficacy. Such tools pose a more significant challenge to organizations because they take advantage of timing and stealth over signature-based defenses. That makes behavioral detection necessary in the security stacks to help with mitigating these threats.

Cybersecurity professionals recommend vigilance, layered defense, and active monitoring as a way of mitigating tools such as NtKiller in these increasing dark web threats. As cybercriminals continue to improve evasion techniques, it requires moving the advantage beyond simple reliance on traditional antivirus. This incident has highlighted the need for timely threat intelligence within enterprise security strategies.
Read more »
Telegram
cryptocurrency Cyber Crime Dark Web Scams Telegram

Telegram-Based Crypto Scam Networks Are Now Larger Than Any Dark Web Market in History

 



For years, illegal online marketplaces were closely linked to the dark web. These platforms relied on privacy-focused browsers and early cryptocurrencies to sell drugs, weapons, stolen data, and hacking tools while remaining hidden from authorities. At the time, their technical complexity made them difficult to track and dismantle.

That model has now changed drastically. In 2025, some of the largest illegal crypto markets in history are operating openly on Telegram, a mainstream messaging application. According to blockchain intelligence researchers, these platforms no longer depend on sophisticated anonymity tools. Instead, they rely on encrypted chats, repeated channel relaunches after bans, and communication primarily in Chinese.

Analysis shows that Chinese-language scam-focused marketplaces on Telegram have reached an unprecedented scale. While enforcement actions earlier this year temporarily disrupted a few major platforms, activity quickly recovered through successor markets. Two of the largest currently active groups are collectively processing close to two billion dollars in cryptocurrency transactions every month.

These marketplaces function as service hubs for organized scam networks. They provide money-laundering services, sell stolen personal and financial data, host fake investment websites, and offer digital tools designed to assist fraud, including automated impersonation technologies. Researchers have also flagged listings that suggest serious human exploitation, adding to concerns about the broader harm linked to these platforms.

Their rapid growth is closely connected to large-scale crypto investment and romance scams. In these schemes, victims are gradually manipulated into transferring increasing amounts of money to fraudulent platforms. Law enforcement estimates indicate that such scams generate billions of dollars annually, making them the most financially damaging form of cybercrime. Many of these operations are reportedly run from facilities in parts of Southeast Asia where trafficked individuals are forced to carry out fraud under coercive conditions.

Compared with earlier dark web marketplaces, the difference in scale is striking. Previous platforms processed a few billion dollars over several years. By contrast, one major Telegram-based marketplace alone handled tens of billions of dollars in transactions between 2021 and 2025, making it the largest illicit online market ever documented.

Telegram has taken limited enforcement action, removing some large channels following regulatory scrutiny. However, replacement markets have repeatedly emerged, often absorbing users and transaction volumes from banned groups. Public statements from the platform indicate resistance to broad bans, citing privacy concerns and financial freedom for users.

Cryptocurrency infrastructure also plays a critical role in sustaining these markets. Most transactions rely on stablecoins, which allow fast transfers without exposure to price volatility. Analysts note that Tether is the primary stablecoin used across these platforms. Unlike decentralized cryptocurrencies, Tether is issued by a centralized company with the technical ability to freeze funds linked to criminal activity. Despite this capability, researchers observe that large volumes of illicit transactions continue to flow through these markets with limited disruption. Requests for comment sent to Tether regarding its role in these transactions did not receive a response at the time of publication.

Cybercrime experts warn that weak enforcement, fragmented regulation, and inconsistent platform accountability have created conditions where large-scale fraud operates openly. Without coordinated intervention, these markets are expected to continue expanding, increasing risks to users and the global digital economy.



Read more »
Stolen Credentials
Cybercrime Trends Cybersecurity Threats Dark Web Data Breach Digital Security Identity Protection Online Privacy Proton Research Stolen Credentials

Security Researchers at Proton Warn of Massive Credential Exposure


 

Data is becoming the most coveted commodity in the ever-growing digital underworld, and it is being traded at an alarming rate. In a recent investigation conducted by Proton, it has been revealed that there are currently more than 300 million stolen credentials circulating across dark web marketplaces, demonstrating how widespread cybercrime is. 

According to Proton's Data Breach Observatory, which continuously monitors illicit online forums for evidence of data compromise, there is a growing global cybersecurity crisis that is being revealed. In the year 2025, the Observatory has recorded 794 confirmed breach incidents. When aggregating these data, the number increases to 1,571, which amounts to millions of records exposed to the public in the coming years. 

One of the troubling aspects of the research is the pattern of targeting small and medium-sized businesses: cybercriminals have increasingly targeted these companies. Over half of all breaches were recorded at companies with between 10 and 249 employees, while 23% of breaches occurred in micro businesses with fewer than 10 employees. 

This report highlights a growing truth about the digital age: while businesses are racing to innovate and expand online, threat actors are evolving just as quickly. As a result, the vast internet architecture has become a vibrant market for stolen identities, corporate secrets, and business secrets. 

Security breaches are still largely hidden from the public eye for many organisations due to fear of reputational damage, financial losses, or regulatory scrutiny, so they remain reluctant to reveal them. This leaves the true extent of cybercrime largely hidden from the public eye. Using Proton's latest initiative, the company hopes to break down the silence surrounding this threat by tracking it to its source: the underground marketplaces that openly sell stolen credentials and personal data.

In doing so, Proton is continuing its quest to foster a safer, more private internet, which is a vital component of the company's mission. As an extension of the Proton VPN Observatory, which monitors global instances of government-imposed internet restrictions and VPN censorship in the form of government-imposed restrictions, the Data Breach Observatory extends that vigilance to track instances of cybercrime in the form of data breaches. 

Its creation, which is made in collaboration with Constella Intelligence, is an observatory that constantly scans the dark web for new breaches, analysing the types of data compromised, including passwords and personal identifiers, as well as financial records, and the number of accounts affected. 

Through real-time monitoring, Proton can alert victims as soon as a breach occurs, sometimes even before the breached organisation realises it is happening. The Proton platform provides transparent, publicly accessible insights into these security breaches, which are aimed at both educating users about the magnitude of the threat and discouraging organisations from concealing their security shortcomings. 

There is a policy of responsible disclosure at the heart of this initiative, which ensures that affected entities are informed in advance of any public announcement relating to the incident. This is an era that has been defined by data theft and corporate secrecy since the dawn of the digital age. Proton's proactive approach serves as a countermeasure, turning dark web intelligence into actionable preventative measures. 

With this initiative, the company not only reveals the hidden mechanics of cybercrime but also strengthens its reputation as a pioneer in digital transparency and empowerment for users, allowing businesses and individuals alike a better understanding of the shadowy forces that shape today's cybersecurity landscape, as well as the risks associated with it. 

In its latest research, Proton has provided a sobering assessment of the escalating cost of cybercrime to smaller businesses. There have been an estimated four out of five small businesses in recent months that have been affected by data breaches, and these attacks have often resulted in losses exceeding one million dollars. 

As part of the growing crisis surrounding data breaches, a Data Breach Observatory was established to identify breaches that often remain hidden until a significant amount of damage has been sustained. Proton constantly scans dark web marketplaces where stolen credentials are traded to deliver early warnings about potential breaches so that organisations can take steps to protect their data before attackers have an opportunity to exploit it further. 

Through the course of these investigations, a wide range of personal and financial details were uncovered, including names, dates of birth, email addresses, passwords, and physical contact information of those individuals. 

Almost all of these breaches have involved social security numbers, bank credentials, and IBAN details being exposed, which together represent an alarming combination that creates an extremely high likelihood of identity theft and financial fraud. 

It has been recorded by the observatory that several high-profile incidents will occur in 2025, such as the Qantas Airways breach in October that exposed more than 11.8 million customer records; Alleianz Life Germany in September, with more than one million compromised accounts; and the U.S. tech firm Tracelo that was breached by 1.4 million records earlier this year, while breaches at Free Telecom, a French company, and SkilloVilla, a Indian company, revealed 19 million records and 33 million records respectively, emphasizing the threat to be very global in nature. 

Security experts have always stressed the necessity of multi-factor authentication, as well as strong password management, as essential defences against credential-based attacks. Consequently, Proton reiterates this advice by advising businesses to regularly monitor their credentials for leaks and to reset passwords as soon as suspicious activity is detected. 

The company enables businesses to verify whether or not their data has been compromised through its public access observatory platform, which is a critical step toward minimising the damage done to a business before cybercriminals can weaponise the data stolen. This is done through the company's public observatory platform that is widely accessible. 

A stronger global security awareness and proactive cybersecurity practices are essential, and Proton's Data Breach Observatory confirms this need. Aside from the observatory's use as a crucial alert system, it is important to note that experts also emphasise that prevention is the best form of protection when it comes to securing information online. 

The Observatory stresses the importance of adopting layered security strategies, including the use of Virtual Private Networks (VPNs) that safeguard online communications and reduce the risk of interception, even in situations where users' data is compromised. By using its own Proton VPN, based on end-to-end encryption and the company's signature Secure Core architecture, traffic passes through multiple servers located in privacy-friendly jurisdictions, effectively masking users' IP addresses and shielding their digital identities from cybercriminals. The company is effectively protecting their digital identity from prying eyes. 

As a result of the robust infrastructure, the observatory continues to monitor across the dark web, and personal information remains encrypted and protected from the cybercriminal networks it monitors. Besides technical solutions, Proton and cybersecurity experts alike emphasise the importance of a set of foundational best practices for individuals and organisations who want to strengthen their defences. 

This is the best way to protect online accounts is to enable multi-factor authentication (MFA), widely recognised as the most effective method of preventing the theft of credentials, and to use a password manager whose function is to keep secure passwords for every online account. As part of regular breach monitoring, Proton's observatory platform can be used to provide timely alerts whenever credentials are discovered in leaked databases. 

In addition to fostering cybersecurity awareness among employees, companies must also create an incident response plan, enforce the principle of least privilege, and make sure that only systems that are essential to the role they are playing are accessible. Taking advantage of more advanced strategies, including network segmentation, enterprise-grade identity and access management (IAM) tools, such as Privileged Access Management (PAM), may allow for further containment and protection of critical infrastructure. 

These recommendations have been derived from the fact that credential theft is often based on exploited software vulnerabilities or weak configurations that are often exploited by hackers. An unpatched flaw—such as an API endpoint that is exposed or an authentication mechanism that is not working properly—can result in brute-force attacks or session hijacking attacks. 

Proton's exposure itself does not have any specific link to a vulnerability identifier; however, it indicates that there are still many systemic vulnerabilities which facilitate large-scale credential theft across many industries today. As a result of the importance of patching timely manner and implementing strict configuration management, businesses can significantly reduce the chances of attackers gaining access to their network. 

However, Proton’s research goes well beyond delivering a warning. It calls for action. The number of compromised accounts on dark web markets has increased by over 300 million, and we cannot afford to stay complacent. This study underscores that protecting one's data is not merely about technology, but about maintaining a proactive approach to cyber hygiene and continuous vigilance. 

A message Protoemphasises in this, when data is both a commodity and a target, it is clear: the key to digital safety lies in proactive defence, informed awareness, and collective responsibility. In an age when the digital landscape is becoming increasingly complex, Proton’s findings serve as a powerful reminder that cybersecurity is not an investment that can be made once but is an ongoing commitment. 

Organisations that take steps to ensure that their employees are informed and trained about cyber threats are better prepared to cope with the next wave of cyber threats. Several security measures, including encrypting infrastructure, conducting regular security audits, and continuously performing vulnerability assessments, can be taken to significantly reduce exposure, while collaborations between cybersecurity researchers and private firms can strengthen collective defences. 

Even though stolen data fuels a thriving underground economy in today's cyber world, the most effective defences against cybercrime remain vigilance and informed action.
Read more »
Technology
AI Cloud Dark Web Internet Ransomware Technology

Why Ransomware Attacks Keep Rising and What Makes Them Unstoppable


In August, Jaguar Land Rover (JLR) suffered a cyberattack. JLR employs over 32,800 people and provides additional 104,000 jobs via it's supply chain. JLR is the recent victim in a chain of ransomware attacks. 

Why such attacks?

Our world is entirely dependent on technology which are prone to attacks. Only a few people understand such complex infrastructure. The internet is built to be easy, and this makes it vulnerable. The first big cyberattack happened in 1988. That time, not many people knew about it. 

The more we rely on networked computer technology, the more we become exposed to attacks and ransomware extortion.

How such attacks happen?

There are various ways of hacking or disrupting a network. Threat actors get direct access through software bugs, they can access unprotected systems and leverage them as a zombie army called "botnet," to disrupt a network.

Currently, we are experiencing a wave of ransomware attacks. First, threat actors hack into a network, they may pretend to be an employee. They do this via phishing emails or social engineering attacks. After this, they increase their access and steal sensitive data for extortion reasons. By this, hackers gain control and assert dominance.

These days, "hypervisor" has become a favourite target. It is a server computer that lets many remote systems to use just one system (like work from home). Hackers then use ransomware to encode data, which makes the entire system unstable and it becomes impossible to restore the data without paying the ransom for a decoding key.

Why constant rise in attacks?

A major reason is a sudden rise in cryptocurrencies. It has made money laundering easier. In 2023, a record $1.1 billion was paid out across the world. Crypto also makes it easier to buy illegal things on the dark web. Another reason is the rise of ransomware as a service (RaaS) groups. This business model has made cyberattacks easier for beginner hackers 

About RaaS

RaaS groups market on dark web and go by the names like LockBit, REvil, Hive, and Darkside sell tech support services for ransomware attack. For a monthly fees, they provide a payment portal, encryption softwares, and a standalone leak site for blackmailing the victims, and also assist in ransom negotiations.


Read more »
Phishing and Spam
Customer Data Customer Data Exposed Dark Web Data Breach Data exposed data security Hackers identity theft risk Phishing and Spam

Toys “R” Us Canada Data Breach Exposes Customer Information, Raising Phishing and Identity Theft Concerns

 

Toys “R” Us Canada has confirmed a data breach that exposed sensitive customer information, including names, postal addresses, email addresses, and phone numbers. Although the company assured that no passwords or payment details were compromised, cybersecurity experts warn that the exposed data could still be exploited for phishing and identity theft schemes. 

The company discovered the breach after hackers leaked stolen information on the dark web, prompting an immediate investigation. Toys “R” Us engaged a third-party cybersecurity firm to conduct forensic analysis and confirm the scope of the incident. Early findings revealed that a “subset of customer records” had been stolen. The retailer began notifying affected customers through official communications, with letters quickly circulating on social media after being shared by recipients.  

According to the company’s statement, the breach did not involve financial information or account credentials, but the exposure of valid contact details still presents significant risk. Cybercriminals often use such data to create convincing phishing emails or impersonate legitimate companies to deceive victims into revealing sensitive information. 

Toys “R” Us stated that its IT systems were already protected by strong security protocols but have since been reinforced with additional defensive measures. The company has not disclosed how the attackers infiltrated its network or how many individuals were impacted. It also confirmed that, to date, there is no evidence suggesting the stolen data has been misused. 

In the aftermath of the incident, Toys “R” Us reported the breach to relevant authorities and advised customers to remain vigilant against phishing attempts. The company urged users not to share personal information with unverified senders, avoid clicking on suspicious links or attachments, and closely monitor any unusual communications that appear to come from the retailer.  

While no hacking group has claimed responsibility for the breach, cybersecurity analysts emphasize that exposed names, emails, and phone numbers can easily be weaponized in future scams. The incident underscores how even non-financial data can lead to significant cybersecurity risks when mishandled or leaked. 

Despite the company’s reassurances and strengthened defenses, the breach highlights the ongoing threat businesses face from cyberattacks that target customer trust and data privacy.
Read more »
Technology
Cloud Dark Web Data Digital ID Internet Technology

Is UK's Digital ID Hacker Proof?


Experts warned that our data will never be safe, as the UK government plans to launch Digital IDs for all citizens in the UK. The move has received harsh criticism due to a series of recent data attacks that leaked official government contacts, email accounts, staff addresses, and passwords. 

Why Digital IDs?

The rolling out of IDs means that digital identification will become mandatory for right-to-work checks in the UK by the end of this Parliament session. It aims to stop the illegal migrants from entering the UK, according to Keir Starmer, the UK's Prime Minister, also stressing that the IDs will prevent illegal working.

Experts, however, are not optimistic about this, as cyberattacks on critical national infrastructure, public service providers, and high street chains have surged. They have urged the parliament to ensure security and transparency when launching the new ID card scheme. 

According to former UK security and intelligence coordinator and director of GCHQ David Omand, the new plan will offer benefits, but it has to be implemented carefully. 

Benefits of Digital IDs

David Omand, former UK security and intelligence coordinator and director of GCHQ, said the scheme could offer enormous benefits, but only if it is implemented securely, as state hackers will try to hack and disrupt. 

To prevent this, the system should be made securely, and GCHQ must dedicate time and resources to robust implementation. The digital IDs would be on smartphones in the GOV.UK’s wallet app and verified against a central database of citizens having the right to live and work in the UK.

Risk with Digital IDs

There is always a risk of stolen data getting leaked on the dark web. According to an investigation by Cyjax, more than 1300 government email-password combinations, addresses, and contact details were accessed by threat actors over the past year. This is what makes the Digital ID card a risk, as the privacy of citizens can be put at risk. 

The UK government, however, has ensured that these digital IDs are made with robust security, secured via state-of-the-art encryption and authentication technology. 

According to PM Starmer, this offers citizens various benefits like proving their identity online and control over how data is shared and with whom.

Read more »
Personal Information
Dark Web Data Breach data security Data Theft Discord Discord Users leaked sensitive data personal data security Personal Information

Nearly Two Billion Discord Messages Scraped and Sold on Dark Web Forums

 

Security experts have raised alarms after discovering that a massive collection of Discord data is being offered for sale on underground forums. According to researchers at Cybernews, who reviewed the advertisement, the archive reportedly contains close to two billion messages scraped from the platform, alongside additional sensitive information. The dataset allegedly includes 1.8 billion chat messages, records of 35 million users, 207 million voice sessions, and data from 6,000 servers, all available to anyone willing to pay. 

Discord, a platform widely used for gaming, social communities, and professional groups, enables users to connect via text, voice, and video across servers organized around different interests. Many of these servers are open to the public, meaning their content—including usernames, conversations, and community activity—can be accessed by anyone who joins. While much of this information is publicly visible, the large-scale automated scraping of data still violates Discord’s Terms of Service and could potentially breach data protection regulations such as the EU’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA).

The true sensitivity of the dataset remains unclear, as no full forensic analysis has been conducted. It is possible that a significant portion of the messages and voice records were collected from publicly accessible servers, which would reduce—but not eliminate—the privacy concerns. However, the act of compiling, distributing, and selling this information at scale introduces new risks, such as the misuse of user data for surveillance, targeted phishing, or identity exploitation. 

Discord has faced similar challenges before. In April 2024, a service known as Spy.Pet attempted to sell billions of archived chat logs from the platform. That operation was swiftly shut down by Discord, which banned the associated accounts and confirmed that the activity violated its rules. At the time, the company emphasized that automated scraping and self-botting were not permitted under its Terms of Service and stated it was exploring possible legal action against offenders. 

The recurrence of large-scale scraping attempts highlights the ongoing tension between the open nature of platforms like Discord and the privacy expectations of their users. While public servers are designed for accessibility and community growth, they can also be exploited by malicious actors seeking to harvest data en masse. Even if the information being sold in the latest case is largely public, the potential to cross-reference user activity across communities raises broader concerns about surveillance and abuse. 

As of now, Discord has not issued an official statement on this latest incident, but based on previous responses, it is likely the company will take steps to disrupt the sale and enforce its policies against scraping. The incident serves as another reminder that users on open platforms should remain mindful of the visibility of their activity and that service providers must continue to balance openness with strong protections against data misuse.
Read more »
Ransomwares
Colt ransomware attack Colt WarLock hackers Customer Data Cyber Attacks Dark Web data stealing Ransom Demand ransomware attacks Ransomware group Ransomwares

Colt Technology Services Confirms Customer Data Theft After Warlock Ransomware Attack



UK-based telecommunications provider Colt Technology Services has confirmed that sensitive customer-related documentation was stolen in a recent ransomware incident. The company initially disclosed on August 12 that it had suffered a cyberattack, but this marks the first confirmation that data exfiltration took place. In its updated advisory, Colt revealed that a criminal group accessed specific files from its systems that may contain customer information and subsequently posted the filenames on dark web forums. 

To assist affected clients, Colt has set up a dedicated call center where customers can request the list of exposed filenames. “We understand that this is concerning for you,” the company stated in its advisory. Notably, Colt also implemented a no-index HTML meta tag on the advisory webpage, ensuring the content would not appear in search engine results. 

The development follows claims from the Warlock ransomware gang, also known as Storm-2603, that they are auctioning one million stolen Colt documents for $200,000 on the Ramp cybercrime marketplace. The group alleges the files contain financial data, customer records, and details of network architecture. 
Cybersecurity experts verified that the Tox ID used in the forum listing matches identifiers seen in the gang’s earlier ransom notes, strengthening the link to Colt’s breach. The Warlock Group, attributed to Chinese threat actors, emerged in March 2025 and initially leveraged leaked LockBit Windows and Babuk VMware ESXi encryptors to launch attacks. Early operations used LockBit-style ransom notes modified with unique Tox IDs to manage negotiations. 

By June, the group rebranded under the name “Warlock Group,” establishing its own negotiation platforms and leak sites to facilitate extortion. Recent intelligence reports, including one from Microsoft, have indicated that the group has been exploiting vulnerabilities in Microsoft SharePoint to gain unauthorized access to corporate networks. Once inside, they deploy ransomware to encrypt data and steal sensitive files for leverage. 

The group’s ransom demands vary significantly, ranging from $450,000 to several million dollars, depending on the target organization and data involved. Colt’s disclosure highlights ongoing challenges faced by enterprises in safeguarding critical infrastructure against sophisticated ransomware actors. Telecommunications companies, which manage vast volumes of sensitive customer and network data, remain particularly attractive targets. 

As threat actors refine their tactics and increasingly combine encryption with data theft, the risks to both organizations and their clients continue to escalate. While Colt has not confirmed whether it plans to engage with the ransomware operators, the company emphasized its focus on mitigating the impact for customers. 

For now, the stolen documents remain for sale on the dark web, and the situation underscores the broader need for enterprises to strengthen resilience against the evolving ransomware landscape.
Read more »
Subscribe to: Comments (Atom)